Which? has compared the online security of 12 of the UK's biggest banks, with NatWest coming out on top.
The consumer affairs body has tested the security of providers' online banking based on login, encryption, account management and navigation.
NatWest's score of 83% was the best return by a comfortable margin, with Nationwide in second place on 75%.
Lloyds, HSBC Barclays and Tesco Bank round out the top half of the table, all with scores in the low 70s.
Banks were penalised for two-factor authentication (2FA) not being compulsory or allowing logins from multiple browsers or devices at the same time.
Which? states that 2FA should be regarded as the norm given its use in email and social media but points out that Metro Bank, Santander and TSB are still lagging behind.
TSB came bottom of the ranking with a score of 50%, the last thing the bank needed given the lingering fallout from the mass data breach last year which caused nearly 2 million customers to lose access to online banking.
The bank is facing a lengthy investigation into this, with findings due to be published tomorrow.
Which?'s investigation also highlights the dangers of including phone numbers and links when messaging customers alerting them of a potential breach.
Six of the 12 banks were guilty of this. Barclays was one of them but has subsequently said that it has banned any phone number or URLS in customer alerts.
Which? believes that the procedures of mobile-only banks like Monzo and Starling are causing high street banks to raise their game regarding securing features in apps.
Instant card freezing is now offered by eight of the 12 banks, while Barclays and Lloyds are going further by allowing customers to control whether cards can be used online, abroad or at the cash machine.